sol.: formal method

Showing posts with label formal method. Show all posts

Thursday, May 30, 2013

CTL Model Checking

Fixed-point Theory

Complete Lattice

Complete lattice is a partially-ordered set which has join ($\cup$) and meet ($\cap$) operators. The former generates the least lower bound and the latter the greatest upper bound. The state space of a Kripke model forms a complete lattice under containment, i.e. $(2^S, \subseteq)$ is a complete lattice.

Monotonic Function

$F$ is monotonic if $\forall a < b$, $F(a) < F(b)$.

Tarski's Theorem

A monotonic function over a complete lattice has the least and the greatest fixed point.

Kleene's Theorem

The mentioned fixed points can be calculated this way. Assume $F$ is a monotonic function and $\cup$-continuous (increments), the least fixed point must be reached (this chain converges): $$\emptyset \subseteq F(\emptyset) \subseteq F(F(\emptyset)) \subseteq \ldots$$

Instead, if $F$ is $\cap$-continuous (decrements), the greatest fixed point is obtained by, $$S \supseteq F(S) \supseteq F(F(S)) \supseteq \ldots$$

Formula Rewriting

All CTL formulae can be rewritten in terms of $\neg, \wedge, \mathbf{EX}, \mathbf{EU}, \mathbf{EG}$ only.

$\mathbf{AG}\phi = \neg \mathbf{EF} \neg \phi$
$\mathbf{EF}\phi = \mathbf{E}(\top \mathbf{U} \phi)$
$\mathbf{A}(\phi_1 \mathbf{U} \phi_2 ) = \neg \mathbf{E}(\neg \phi_2 \mathbf{U} (\neg \phi_1 \wedge \neg \phi_2 )) \wedge \neg \mathbf{EG}\neg \phi_2$
$\mathbf{AX} \phi = \neg \mathbf{EX} \neg \phi$

Although irrelevant at this context, but it is worthy to note that $\mathbf{EG}\phi = \mathbf{E}(\bot \mathbf{R} \phi)$, this is to say $\phi$ is never released (has to be true forever).

Tableaux Rules

$\mathbf{EF}\phi = \phi \vee \mathbf{EXEF}\phi$
$\mathbf{EG}\phi = \phi \wedge \mathbf{EXEG}\phi$
$\mathbf{E}(\phi \mathbf{U} \psi) = \psi \vee (\phi \wedge \mathbf{EXE}(\phi \mathbf{U} \psi))$

Pre-Image

In CTL model checking, the calculating unit is a set of states that satisfy some formula $\phi$, noted as denotation $[\phi]$. Pre-Image maps the image (in the range) back to the domain (its pre-image). It is thus defined, $$\mathsf{PreImage}([\phi]) = \{s | \exists (s, s') \in R \wedge s' \in [\phi]\}$$

$\mathsf{PreImage}$ is a monotonic function over the complete lattice $(2^S, \subseteq)$, thus Kleene's theorem applies. Pre-Image matches the idea of $\mathbf{EX}$, i.e. $[\mathbf{EX}\phi]$ is the pre-image of $[\phi]$.

Fixed points for CTL Model Checking

According to tableaux rules, $\mathbf{EG}$, $\mathbf{EF}$, $\mathbf{EU}$s are written in the form of fixed points ($\nu$: greatest, $\mu$: least.).

$[\mathbf{EG}\phi] = \nu Z. ([\phi] \cap [\mathbf{EX}Z])$
$[\mathbf{EF}\phi] = \mu Z. ([\phi] \cup [\mathbf{EX}Z])$
$[\mathbf{E}(\phi \mathbf{U} \psi)] = \mu Z. ([\psi] \cup ([\phi] \cap [\mathbf{EX}Z]))$

So given a CTL formula $\phi$, after rewriting, we apply the set operations for negations (complement the set) and disjunctions (union), and fixed points for temporal formulas. We say $M \models \phi$ iff $I \subseteq [\phi]$.

Tuesday, May 28, 2013

On-the-fly Construct Büchi Automata for LTL formulae

The previous post introduced the declarative construction, which is exponential. For instance, the LGBA for $p \mathbf{U} q$ has 8 states. However, on-the-fly construction can build Büchi automata for linear size. Surely, distinct automata can express the same language (further, the LTL formula).

Negative Normal Form

First we write LTL formulas into their NNF equivalence, which is composed by $\vee, \wedge, \mathbf{X}, \mathbf{U}, \mathbf{R}$ only. Negations are pushed down to literals. Here we quote some rules,

$\neg \mathbf{X} \phi \Rightarrow \mathbf{X} \neg \phi$
$\neg ( \phi \mathbf{U} \psi ) \Rightarrow (\neg \phi \mathbf{R} \neg \psi) $
$\neg ( \phi \mathbf{R} \psi ) \Rightarrow (\neg \phi \mathbf{U} \neg \psi) $

Tableaux Expansion

$\phi \mathbf{U} \psi \Rightarrow \psi \vee (\phi \wedge \mathbf{X}(\phi \mathbf{U} \psi)) $
$\phi \mathbf{R} \psi \Rightarrow \psi \wedge (\phi \vee \mathbf{X}(\phi \mathbf{R} \psi)) $

Disjunctive Normal Form

With all formulas converted to the following form, each disjunct is a state.

$$\bigvee_i \bigg( \bigwedge_j I_{ij} \wedge \bigwedge_k \mathbf{X}\psi_{ik} \bigg)$$

Note $\bigwedge_j I_{ij}$ represents the labels, and $\bigwedge_k \mathbf{X}\psi_{ik}$ shows the transition. When the $\mathbf{X}$-formula is not present, we write $\mathbf{X} \top$.

Cover

A cover of a set of LTL formulas $\Psi= \{ \psi_1, \ldots, \psi_k \}$ calculates the set of initial states of Büchi automaton that represents $\bigwedge_i \psi_i$. A state is denoted as $\langle \lambda, \chi, \sigma \rangle$, which are the set of labels, the next formula, the set of subformulas of satisfied in $s$.

$$\mathsf{Cover}(\Psi) := \mathsf{Expand}(\Psi, \langle \emptyset, \emptyset, \emptyset \rangle)$$

Expand

We quote its definition. Assume $s=\langle \lambda, \chi, \sigma \rangle$, $l$ is a propositional literal, $\mathsf{Expand}(\Psi, s)=$

\begin{align*} \begin{cases} s & \Psi = \emptyset \\ \emptyset & \bot \in \Psi \\ \mathsf{Expand}(\Psi \backslash \top , s) & \top \in \Psi \\ \mathsf{Expand}(\Psi \backslash \{l\}, \langle \lambda \cup \{l\}, \chi, \sigma \cup \{l\} \rangle) & l \in \Psi \\ \mathsf{Expand}(\Psi \backslash \{\mathbf{X}\psi\}, \langle \lambda , \chi \cup \{ \psi \}, \sigma \cup \{\mathbf{X}\psi\} \rangle) & \mathbf{X}\psi \in \Psi \\ \mathsf{Expand}(\Psi \cup \{\psi_1, \psi_2\} \backslash \{\psi_1 \wedge \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi, \sigma \cup \{\psi_1 \wedge \psi_2\} \rangle) & \psi_1 \wedge \psi_2 \in \Psi \\ \mathsf{Expand}(\Psi \cup \{\psi_1\} \backslash \{\psi_1 \vee \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi, \sigma \cup \{\psi_1 \vee \psi_2\} \rangle) \cup \\ \mathsf{Expand}(\Psi \cup \{\psi_2\} \backslash \{\psi_1 \vee \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi, \sigma \cup \{\psi_1 \vee \psi_2\} \rangle) & \psi_1 \vee \psi_2 \in \Psi \\ \mathsf{Expand}(\Psi \cup \{\psi_1\} \backslash \{\psi_1 \mathbf{U} \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi \cup \{\psi_1 \mathbf{U} \psi_2\}, \sigma \cup \{\psi_1 \mathbf{U} \psi_2\} \rangle) \cup \\ \mathsf{Expand}(\Psi \cup \{\psi_2\} \backslash \{\psi_1 \mathbf{U} \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi, \sigma \cup \{\psi_1 \mathbf{U} \psi_2\} \rangle) & \psi_1 \mathbf{U} \psi_2 \in \Psi \\ \mathsf{Expand}(\Psi \cup \{\psi_2\} \backslash \{\psi_1 \mathbf{R} \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi \cup \{\psi_1 \mathbf{R} \psi_2\}, \sigma \cup \{\psi_1 \mathbf{U} \psi_2\} \rangle) \cup \\ \mathsf{Expand}(\Psi \cup \{\psi_1, \psi_2\} \backslash \{\psi_1 \mathbf{R} \psi_2\}, \\ \quad \quad \quad \langle \lambda, \chi, \sigma \cup \{\psi_1 \mathbf{R} \psi_2\} \rangle) & \psi_1 \mathbf{R} \psi_2 \in \Psi \end{cases} \end{align*}

Construct $A_\phi$

With the above operations defined, we construct the Büchi Automaton for an LTL formula. $A_\phi = (Q, Q_0 , \Sigma, L, T , FT)$, with $Q_0 = \mathsf{Cover}(\{\phi\})$, $Q$ is the smallest set such that $Q_0 \subseteq Q$, also if $\langle \lambda, \chi, \sigma \rangle \in Q$, then $\mathsf{Cover}(\{\chi\}) \in Q$, the labeling function $L(s) = \{a \in \Sigma | a \models \lambda \}$, transition relation $T = \{(s,s') | s = \langle \lambda, \chi, \sigma \rangle \wedge s' \in \mathsf{Cover}(\{\chi\}) \}$, the fairness conditions $FT = \{F_1, \ldots, F_n\}$, where $F_i = \{s \in Q | \phi_i \mathbf{U} \psi_i \notin \sigma \vee \psi_i \in \sigma \}$.

Examples

Here we present the Büchi Automata built from the stated method.

Fig 1. NBA of $\mathbf{FG}p$

Fig 2. NBA of $p \mathbf{U} q$

References

R. Sebastiani, Automata-theoretic LTL Model Checking, slides on Formal Methods, 2012
Wikipedia, Linear temporal logic to Buchi Automaton, http://en.wikipedia.org/wiki/Linear_temporal_logic_to_Büchi_automaton

Appendix

The following is a copy of original copyright notice of slides which this article is quoting.

Copyright notice: some material (text, figures) displayed in these slides is courtesy of M. Benerecetti, A. Cimatti, P. Pandya, M. Pistore, M. Roveri, and S.Tonetta, who detain its copyright. Some exampes displayed in these slides are taken from [Clarke, Grunberg & Peled, “Model Checking”, MIT Press], and their copyright is detained by the authors. All the other material is copyrighted by Roberto Sebastiani. Every commercial use of this material is strictly forbidden by the copyright laws without the authorization of the authors. No copy of these slides can be displayed in public without containing this copyright notice.

Thursday, May 23, 2013

Bounded Model Checking Encoding

See appendix for credits.

Bounded Model Checking (BMC) is a SAT-based technique, distinguished from symbolic model checking. It converts model checking problem into satisfiability problem. BMC tends to look for counter-examples by progressively increasing an integer bound, which is the number of steps in a path. Yes, once you verified there are no counter-examples within the bound $k$, it doesn't prove $M \models f$ at all. BMC is useful in troubleshooting, to capture the flaws in the model design.

The bridge

Given a Kripke model $M$, a LTL formula $f$ and a bound $k$,

$M \models_k \mathbf{E}f$ iff ⟦$M$,$f$⟧$_k$ is satisfiable.

$\models_k$ means the property is verified in the path of $k$ steps. ⟦$M$,$f$⟧$_k$ is defined as follows,

Fig. 1 The encoding of ⟦$M$,$f$⟧$_k$ in BMC

(1) divides the denotion into the model part (2) and the property part (3). (2) shows the execution of $M$ in $k$ steps, by providing the initial state ($s_0$ is a vector of boolean variables that are assigned in such state) and transition relations of each step. (3) also consists of two portions that disjunct. The first portion says there are no loops at $s_k$ to all former states (negation of transition relation from $s_k$ to $s_{k-1}$,..., $s_0$). The second one is with loops.

Fig. 2 The paths with and without loop

We do need to separate the encodings (i.e. ⟦$f$⟧$^i_k$, $_l$⟦$f$⟧$^i_k$). For instance, only the finite path carrying a loop can verify the properties like $\mathbf{G}p$. We need to describe properties in different manner according to the existence of a loop. Here is the formal chart,

Fig. 3 ⟦$f$⟧$^i_k$ and $_l$⟦$f$⟧$^i_k$ unfolded alongside their LTL correspondence

The above is a recursive definition. The indices $i$, $k$, $l$ say respectively the current state, the integer bound, the loop point (there is an edge from $s_k$ back to $s_l$). The base case $p$, an atom, matches $p_i$ which is the assignment of $p$ at the state $s_i$. The negation is thereby defined. The loop doesn't matter for these two since we only consider an atom in the current state. The disjunction and conjunction are defined recursively. Before going further, we shall see this figure,

Fig. 4 The loop case

$\mathbf{X}g$ parallels a conditional branch definition. In the loop-less case, when $i < k$, the current state is before the bound state, then there is a next state for $s_i$. Otherwise false. Similar in the loop case, but when $i = k$, since there is a loop from $s_k$ to $s_l$, the next state exists. Think there is no $i > k$, when it loops back, $k+1$ becomes $l$, so everything is still within the bound $k$.

$\mathbf{G}g$ is simply false in the loop-less case, always UNSAT. If there is a loop, we need to make sure every state (hence as a big conjunction) with in the loop verifies $g$ and also the relays from the current state $s_i$ to the loop point $s_l$ in case of $i < l$.

$\mathbf{F}g$ is straight-forward, regarding the fact that we'd like at least one $g$ on such path (both loop-less and with loop), so a big disjunction is used.

Recall that $h \mathbf{U} g$ means $h$ remains true till $g$ becomes true. So in the loop-less case, it compares to the disjunction (satisfiable at least one of the components is true) of all possible captures, e.g., $g_i$, $h_ig_{i+1}$, $h_ih_{i+1}g_{i+2}$, ..., etc. Similar for $h \mathbf{R} g$, which says the advent of the truth of $h$ releases $g$ from being always true. That said, $g$ wasn't free (being true always) before $h$ gets its truth.

The situation becomes much more complex in the loop case for these two. If $i < l$, then it gets the part similar to the loop-less one, $$ \bigvee_{j=i}^k \bigg( {}_l\llbracket \; g \; \lrbracket_k^j \wedge \bigwedge_{n=i}^{j-1} {}_l \llbracket \; h \; \lrbracket ^n_k \bigg)$$ It is accompanied by the case that $i > l$, the idea is the property shall be verified from $s_i$ to $s_k$, then from $s_l$ to $s_{i-1}$ since there is loop $(s_k, s_l)$. So we have, $$ \bigvee_{j=l}^{i-1} \bigg( {}_l\llbracket \; g \; \lrbracket_k^j \wedge \bigwedge_{n=i}^{k} {}_l \llbracket \; h \; \lrbracket ^n_k \wedge \bigwedge_{n=l}^{j-1} {}_l\llbracket \; h \; \lrbracket_k^n \bigg)$$

The last one can be accordingly rendered.

References

R. Sebastiani, SAT-based Bounded Model Checking, slides on Formal Methods, 2012, link
A. Biere et al, Bounded Model Checking, Vol. 58, Advances in Computers, 2003, pdf

Appendix

The following is a copy of original copyright notice of slides where the images here were taken.

Tuesday, May 21, 2013

Conflict-Driven Backtracking and Clause-Learning

See appendix for credits.

Conflict-Driven backtracking is a huge advancement to the classical chronological backtracking applied to the DPLL algorithm. It solves the Boolean formulas with about $10^7$ variables.

State of the art

The idea was to learn from error. When we see a conflict, we find the cause (building a conflict set), and we go back to the decision point where we could do it differently if we have had known this conflict set. It seems hard to catch for a machine. However, it is operable through the following algorithm. This is the most advanced modern approach in many SAT solvers.

Deciphering the myth

Data structure: stack partitioned into decision levels. Each level comprises of a decision literal and its implied literals (unit-propagated). Every implied literal is tagged with the clause causing its unit propagation (aka. antecedent clause).

One level in the stack can be depicted by an implication graph, where there are nodes and edges. A node without edges means a decision literal , because an edge is are marked with the antecedent clause of the literal. E.g.,

Fig. 1 An Implication Graph (Shown on Right)

Building the conflict set

It has two steps,

1. C := conflicting clause
2. repeat {
      C <- resolve C with the antecedent clause of the last
      unit-propagated literal in C
}
until { C verifies some termination criteria }

Well, we wonder what this "resolve" mean, it is a disjunction but removing $A_i \vee \neg A_i$ since they become true. Resolution is a rule saying two input clauses entails the output clause (aka. resolvent). For a detailed discussion, see Resolution (logic). By performing this, the unit propagation is undone. What about some termination criteria? Here comes the magic.

1st UIP

It means First Unique Implication Point, this is the state-of-the-art strategy. It is the first point where we find only one literal of current decision level in C. For instance (built from the same example above),

Fig. 2 Conflict set construction

Upon this, we build the conflict set: $\{ \neg A_{10} , \neg A_{11} , A_4 \}$, and "learn" (add) a new clause $c_{10} := A_{10} ∨ A_{11} ∨ \neg A_4$. Now that we reached the conflict, also we know these $\neg A_{10}$, $\neg A_{11}$ can not survive with $A_4$, so we backtrack to $\neg A_{11}$, and right there we assign $\neg A_4$. Yes, we cut off all paths to $A_4$ from that point on. We would never fall into this conflict set again (we learned from the error).

Drawbacks and a solution

We saved all these learned clauses, on a larger scale ($10^7+$), we can reach an exhaustion of space. The solution is to keep only the active ones, i.e. the ones showed up (on the edges of implication graph) in the current decision level.

Fig. 3 The breath-taking jump

Appendix

The following is a copy of original copyright notice of slides where the images here were taken.

Monday, May 20, 2013

Classical Chronological Backtracking

See appendix for credits.

Chronological backtracking is an improvement for the DPLL algorithm backtracking. It can provide multiple jumps back to the assignment tree, while DPLL when there is a conflict, it simply flips the last assigned literal (thus one step).

The idea

There are two types of assignment, one is binary decision, the other is unit propagation, which is implied by the decisions. So when we reach a conflict, we jump back to the binary decision point, omitting all the implied assignment caused by that decision.

Implementation

Assignments are stored in a stack with tags: unit, open, closed. They respectively mean unit-propagation, first try (chances are still there, thus open), second try (no more chances on this literal). When a conflict is met, we pop the stack till the most recent open assignment and toggle it into closed, and continues the search.

Example

The background is a CNF SAT problem. The presented is part of its assignment tree. Red literals are already assigned. We make a binary decision (true) on $A_1$, leading the clauses $c_7$, $c_8$ be satisfied.

Fig. 1

As a consequence, $A_2, A_3, A_4, A_5, A_6$ are unit-propagated in order. But then $c_6$ would be false, reaching a conflict. Hence due to chronological backtracking idea, we remove all these new assignments since $A_1$, and push $\neg A_1$ to the stack.

Fig. 2

Appendix

The following is a copy of original copyright notice of slides where the images here were taken.

Thursday, February 7, 2013

Clarke-Emerson Theorem

The theorem gives CTL formula an iterative interpretation of their denotational semantics. \begin{align*} [\mathbf{EG} \phi] &= \nu z. ([\phi] \cap [\mathbf{EX} z]) \\ [\mathbf{E}(\phi \mathbf{U} \psi)] &= \mu z. ([\psi] \cup ([\phi] \cap [\mathbf{EX}z])) \\ [\mathbf{EF} \phi] &= \mu z. ([\phi] \cup [\mathbf{EX} z] \end{align*}

Appendix

$[\mathbf{EX} \phi]$ is the existential pre-image of $[\phi]$.
$\nu z. F z$ calculates the greatest fixed point.
$\mu z. F z$ calculates the least fixed point.
$\mathbf{EF} \phi = \mathbf{E}(\top \mathbf{U} \phi)$

Wednesday, February 6, 2013

Expressiveness of LTL, CTL, CTL*

Consider the following examples.

$\mathbf{GF}p = \mathbf{AGAF}p = \mathbf{AGF} p$
The existential quantifier is not possible in LTL. E.g., $\mathbf{EF}p$
$\mathbf{FG}p \neq \mathbf{AFAG}p$, see Fig 1.
$\mathbf{EFG}p \neq \mathbf{FG}p \neq \mathbf{EFAG} p$
$\phi \in$ LTL $\Rightarrow \mathbf{A} \phi \in $CTL*
All CTL formulae are automatically CTL*.

Fig. 1 A Kripke Model $M \models \mathbf{FG}p$ but $M \not \models \mathbf{AFAG}p$

It says

They can all express some common formulae.
Some CTL formulae are not covered in LTL.
Some LTL formulae can not be expressed by CTL.
Some CTL* formulae are covered neither in CTL nor LTL.
CTL* subsumes both CTL and LTL.